Gas Station ATGs Exposed to Public

HD Moore from Rapid7 recently disclosed that over 5800 Automated Tank Gauges at gas stations around the world were publicly accessible. Anyone connected to the internet can now view the in-tank inventories of the gas stations and manage the gas tanks.

The process to access the gauges is simple:
1. Telnet into port 10001 of an ATG’s IP.
2. Type ^A (Ctrl A) followed by I20100. This command outputs a basic report.

ATG telnet info

There are over 600 commands that can be executed, some of which include setting alarm thresholds, editing sensor configurations, and running tank tests. You can view them all in the vendor manual.

Commands

A list of affected IP’s can be found on Shodan.

Lizardstresser.su User Enumeration

Background

LizardSquad, the “hacker” group that recently DDoSed Microsoft’s and Playstation’s gaming networks, released a DDoS tool/service that can be found on www.lizardstresser.su.

LizardStresser is simply another booter, a tool that anyone (mostly script-kiddies) can pay to DDoS a target. Like every other booter, LizardStresser is accessible through a webpage (www.lizardstresser.su) where users can signup and pay for booter access.

Lizard Stresser purchase page

Not surprisingly, LizardStresser is extremely poorly written, which led to me to find a user enumeration vulnerability in a few minutes.

Dumping Usernames and UIDs

Through lizardstresser.su’s ticket system, users can request customer support from admins.

After a ticket is created, a user can send messages through the ticket.
Continue Reading…

Reverse Proxy DDoS Protection

Skip to the good part.

Some background info:
In the early years of high school, I was a part of a community that produced game mods (which I’ll now call AAA). There was another community who also developed similar mods (which I’ll now call BBB). Not surprisingly, there was a lot of animosity between the two communities and it quickly escalated to more than competing by building better products.

While both communities didn’t condone it, members of both eventually started launching DDoS attacks against other. The impact of these attacks was more than just taking down the community forums. Since both communities developed game mods, downtime of the servers meant downtime for their thousands of users.

The Problem:
Members of both communities launched DDoS using boaters. Booters, or “network stress testers”, are DDoS services usually comprised of compromised dedicated servers that send massive amounts of traffic. Booters are relatively cheap and extremely easy to use – the perfect option for script kiddies. At the time, an effective booter would cost just a few dollars for an hour of DDoS’ing. If someone wants to take down a server, he goes onto the booter, types in the IP and port, and the attack is sent.

A screenshot of a booter’s control panel.

The downtime had a significant impact. Too much downtime would cause users to leave. Losing customers meant a loss in revenue. At the time, both communities had peaks of 10k simultaneous users each – not a small number.

The admin of AAA was considering paying for DDoS protected servers, which were very, very expensive at the time. The profit margins from the community could not justify renting such a server.
Continue Reading…

Faking Viewers on Twitch TV

Update: It appears that Twitch has capped views to ten per IP. While this method still works, you’ll need to supplement it with proxies or multiple IP’s. It’s still a good read though :)

An intro to Twitch:

Twitch is the largest video game broadcasting community. Most professional gamers live stream onto Twitch and almost every major eSporting event is broadcast through Twitch. There are hundreds of thousands of fans at any given time, all watching live streams.

Since there are hundreds of broadcasters simultaneously streaming, only the top broadcasters get featured on the first page of the channel browser. This position is determined by the number of live viewers watching the live stream. As you can see in the picture below, if you are not ranked in the top 7, you get put in the ominous “View All” button.

In most cases, only the well known broadcasters (usually pro-gamers with large fan bases) are featured on the front page, with all the others hidden away. Because of this, it is extremely hard for new streamers to get their content featured and get more fans. This is a huge catch-22, but according to Twitch, it’s the best way to ensure that only good content gets displayed.

Reverse Engineering Twitch’s View Counter

Although I do not personally play video games or broadcast on Twitch, I wanted to see if there was a way to fake the number of live viewers on a stream in order to be featured on the front page.
Continue Reading…

A Summer with Sharewave in New York

Note to readers: I used the present tense to describe facts and past tense to describe my personal experiences. Sorry for any confusion.

I had the pleasure of working with Sharewave this summer. Sharewave is a platform for private companies to manage their shareholders and investor relations. The Sharewave office is located in the middle of Manhattan, on Madison and 39th – just a few blocks south of Grand Central. This prime location was one of the biggest reasons I chose Sharewave for an internship. As it turns out, however, I got a lot more than I expected.
Continue Reading…